Help Keep Company Data Safe on Employees’ Personal Devices

Securing smartphones and tablets used for work protects both the employee and the business.

More of your employees are using personal consumer devices for work than you may realize. The majority of them probably carry an Internet-enabled smartphone, like an iPhone, a BlackBerry, or an Android phone, and some may even be using an iPad for work, too. And employees are using these devices to access and work with the company data they need to do their jobs. Like the computers at your office, employees’ personal devices should be secured to protect both the business assets on your network and any sensitive data on employees’ personal devices.

Last November, Cisco published the Cisco Connected World Report, which confirms several things small business owners probably already suspect. One, there really is no longer a boundary between professional computers and private devices. Two, people want to use their own devices for work. And three, employees will use their personal devices, especially smartphones, for work regardless of IT policy; the devices are easy to use, convenient, and often imperative for quickly responding to email messages.

This means that your security policies and procedures need to match your employees’ behaviors. In the end, your employees will be able to safely work from any location, even with their own devices.

Rewrite your acceptable use policyThe first thing you should do is update your acceptable use policy to include smartphones and tablets. The policy should recognize that everyone benefits from secure consumer devices. After all, employees’ personal data is probably as sensitive as much of the business information they’re storing on these devices.

The policy also should outline your expectations for these devices, such as who has rights to the data on them, as well as users’ responsibilities, including security procedures. You can set a variety of conditions for using these devices at work, such as protecting them with a secure password and requiring that employees access your network only through a VPN (virtual private network) connection. Above all, the new policy should be written in a clear, transparent manner.

Following are three actions your acceptable use policy should include:

1. Employees must register their personal devices with your company if they want to use them for work. This could be as simple as sending their manager an email that says, “I’ve brought my iPad to work today.” Or, it could be a more formal process that includes getting the device authorized with a wireless access point on your network. Employees should also notify your company if their personal device is lost or stolen.

2. Employees must follow strict guidelines about the kind of business data that can be stored on their devices. For example, maybe you allow employees to read and respond to business email but not allow them to download and view attachments that contain confidential information.

3. Employees must install any security applications you make a mandatory condition of using personal devices for work. This could include antivirus and antispam software as well as a firewall and VPN connection to the network. You might also require a remote self-destruct application that will wipe the device clean if it’s lost or stolen—just make sure employees understand the app will destroy their personal data as well as any company data and would be of benefit for them.

Secure the network against rogue devicesEven if employees follow all of these actions, their devices can’t be completely trusted. They still belong to the employees, and you can’t control all of the data and apps they install on their smartphones and tablets. Therefore, you need to take action to protect your network. You can start by setting your wireless access points to only allow access from consumer devices that have been registered and authorized for those access points.

You can also deploy a security system, such as the Cisco SA500 Series Security Applianceor the ASA 5500 Series Adaptive Security Appliance, that gives you more control over the traffic that’s streaming in and out of your employees’ personal devices. You can set up a separate VLAN that keeps traffic from personal devices separate from the rest of the traffic on your company’s network, and you can create VPN connections just for these devices. Also, you can also add an intrusion prevention system (IPS) to the SA500 that lets you monitor traffic from employees’ devices for potential security threats. And, if you have an ASA 5500 installed on your network, you can add a Cisco AnyConnect Secure Mobility Client, which provides secure connectivity for a variety of mobile devices, including the Apple iPhone.

As with all things related to security, education and awareness are paramount. You should educate employees about the security threats that smartphones and tablets are susceptible to, including what a threat looks like on these devices. And, employees need to know what they can and can’t do with their personal devices when it comes to corporate data. Consider implementing a reward program for employees that follow the policies and help report possible security issues.

Have you recently revised your company’s acceptable use policy to include employees’ personal devices? What guidelines and actions did you include?

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.